Friday, September 29, 2017

Re: VIM and NVD Vulnerability

On Do, 28 Sep 2017, Ramsey, Susanne B. wrote:

> Greetings;
>
> The National Vulnerability Database (NVD) lists a high vulnerability for VIM 8.0. https://nvd.nist.gov/vuln/detail/CVE-2017-11109
> Vim 8.0 allows attackers to cause a denial of service or possibly have unspecified other impact via a crafted source (aka -S) file.
> NOTE: there might be a limited number of scenarios in which this has security relevance.
>
>
> Unfortunately, the info provided in the CVE does not specify if it is only the initial release 8.0 or the subsequent patched versions that are vulnerable. I have searched the VIM website readme and other documents but can't find the answer, so I am turning to you. I appreciate your assistance. Is the current version still vulnerable to the issue noted above or has this been remediated in the patch updates?

If I read the debian changelog correctly, this has been fixed:
,----
| * Backport upstream patches to fix CVE-2017-11109 (Closes: #867720)
| + 8.0.0703: Illegal memory access with empty :doau command
| + 8.0.0706: Crash when cancelling the cmdline window in Ex mode
| + 8.0.0707: Freeing wrong memory when manipulating buffers in autocommands
`----

Christian
--
Alles Wichtige lernt man von den Frauen, alles Unwichtige vergißt
man bei ihnen.
-- Hans Söhnker

--
--
You received this message from the "vim_use" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_use" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_use+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments: